The Federal Trade Commission (FTC) has updated its Safeguards Rule following widespread data breaches involving consumers' personal and financial information. The move tightens the security standards financial institutions must follow.
- The FTC has made an update to its Safeguards Rule, which dictates how financial institutions must secure the financial data of their customers.
- The agency's chair and one commissioner provided a joint statement in support of the update, pointing to the 2017 Equifax data breach, among others, as the reason for the change.
- The update includes specific criteria that financial institutions must meet to stay in compliance.
New Update to Provide More Security for Consumers
The FTC announced last week a new measure to better protect consumers against identity theft and financial losses that could arise from data breaches.
Data breaches occur when cybercriminals access data from a computer system without permission. Depending on the target, a breach can give identity thieves access to consumers' personal information, credit card details, account numbers, and other data that they can use to perpetrate other crimes or sell to other criminals.
In a joint statement by FTC Chair Lina M. Khan and Rebecca Kelly Slaughter, the two pointed to the Equifax data breach in 2017, which exposed the information of 147 million people, and other recent widespread data breaches as the reason for the updates.
The final rule provides more specific criteria for what safeguards financial institutions are required to implement to protect consumers' financial data. Examples include limiting who can access the data and using encryption to secure it.
Financial institutions will also be required to explain their information-sharing practices. That includes administrative, technical, and physical safeguards the institutions use to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle their customers' secure information.
Finally, financial institutions will be required to designate a single qualified individual to oversee their information security program. This individual must regularly report to a senior officer in charge of information security or to the organization's board of directors.
The FTC is seeking public comment on whether it should make additional changes to the Safeguards Rule, which also requires organizations to report certain data breaches and other security events to the agency. The public will have 60 days to submit comments.